Snort mailing list archives

Re: "OTHER" protocol packets

From: Michael Anderson <mca () arlut utexas edu>
Date: Wed, 13 Nov 2002 15:25:02 -0600

You could run snort in a sniffer mode and give it a bpf filter to ignorethe known protocols:

snort -i <interface> -v 'not tcp and not udp and not arp and not icmp'

Everything else the shows up is your other.

-Mike

Peter Caffin wrote:

Hi all,

I have a colocated box running snort that has produced the following
summary (snort run 2002/11/13 7.03am to 11/14 4.44am WST +0800):

 Snort analyzed 277068 out of 277068 packets,
 dropping 0(0.000%) packets
 Breakdown by protocol:                Action Stats:
     TCP: 28700      (10.358%)         ALERTS: 0
     UDP: 84281      (30.419%)         LOGGED: 0
    ICMP: 68         (0.025%)          PASSED: 0
     ARP: 119465     (43.118%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 44554      (16.081%)
 DISCARD: 0          (0.000%)

It's not a high-traffic site by any means and the box has been located in
a /25 subnet with some of their other customers. (The UDP is high due to
their colocated luser customers sending out volumes of netbios and bootp
crap to their broadcast.)

What really concerns me is the extremely high ARP count (I've opened a
case with my provider) and the stuff listed as "OTHER".

Anyone care to speculate what sort of traffic is this "OTHER" protocol
garbage might be? Can anyone recommend any tools that would be useful to
find out?

Thanks.





-------------------------------------------------------

This sf.net email is sponsored by: Are you worried aboutyour web server security? Click here for a FREE ThawteApache SSL Guide and answer your Apache SSL securityneeds: http://www.gothawte.com/rd523.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

"OTHER" protocol packets Peter Caffin (Nov 13)
- Re: "OTHER" protocol packets Michael Anderson (Nov 13)
- <Possible follow-ups>
- RE: "OTHER" protocol packets McCammon, Keith (Nov 13)